Format of a numeric parameter is unknown
The format you have defined for a numeric parameter does not match formats defined in either the OpenAPI Specification (OAS) or JSON Schema Specification. Unknown formats cannot be enforced to protect your API, so it is like you had not defined a format at all.
The following is an example of how this type of risk could look in your API definition. The parameter type is set to
integer but there is a typo in the format, rendering it unknown:
1parameters: 2 type: integer 3 format: int3 4 name: total 5 in: query 6 description: Number of the objects in the array. 7
Possible exploit scenario
If you do not specify an enforceable format of numeric values, attackers can try to send unexpected input to your backend server. This may cause the backend server to fail in an unexpected way and open the door to further attacks.
For example, the backend server could throw an exception and return a stack trace on the error. The trace could contain information on the exact software stack used in the implementation. This enables the attacker to launch an attack on specific vulnerabilities known in that stack.
Using your internal, company-specific formats is not currently supported.
Define a known
format for all numeric parameters. This ensures that only parameters of the expected format get passed to the backend.
Numeric parameters type
integer can have the format
int64. Numeric parameters type
number can have the format
1parameters: 2 type: integer 3 name: total 4 in: query 5 format: int32 6 description: Number of the objects in the array. 7
If you want to use your internal, company-specific format, make sure to also use properties like
maxLenght to constrain the accepted values.
Copyright 42Crunch 2021